On April 4th, 2017, Patrick Webster published an advisory to the Bugtraq and Full Disclosure email lists describing a directory traversal and file access vulnerability in CA API Gateway. As reported, the web.xml file in the WEB-INF directory was accessible through directory traversal. CA previously determined that the directory traversal did not result in any potential loss of sensitive data as the contents of the WEB-INF directory and web.xml file are not sensitive in the API Gateway product. CA did not find any other potentially vulnerable condition relating to the directory traversal. CA provided updates for CA API Gateway, with releases 7.1.04 , 8.3.01, 8.4.01, and 9.1, that restrict permissions to the WEB-INF directory to resolve any false positive vulnerability detections with web security scanners or audits.